Changeset 60649

Timestamp:

08/19/2025 07:07:11 PM (3 months ago)

Author:

jonsurrell

Message:

HTML API: Improve script tag escape state processing.

Addresses some edge cases parsing of script tag contents:

• "<!-->" remains in the unescaped state and does not enter the escaped state.
• Contents in the escaped state that end with "<script" do not enter double-escaped state.
• "\f" (Form Feed) was missing as a tag name terminating character.

Developed in ​https://github.com/WordPress/wordpress-develop/pull/9397 and ​https://github.com/WordPress/wordpress-develop/pull/9402.

Props jonsurrell, dmsnell.
See #63738.

Location:

trunk

Files:

• src/wp-includes/html-api/class-wp-html-tag-processor.php (modified) (2 diffs)
• tests/phpunit/tests/html-api/wpHtmlTagProcessor.php (modified) (1 diff)

trunk/src/wp-includes/html-api/class-wp-html-tag-processor.php

@@ -1557 +1557 @@
 
             /*
-             * Unlike with "-->", the "<!--" only transitions
-             * into the escaped mode if not already there.
-             *
-             * Inside the escaped modes it will be ignored; and
-             * should never break out of the double-escaped
-             * mode and back into the escaped mode.
-             *
-             * While this requires a mode change, it does not
-             * impact the parsing otherwise, so continue
-             * parsing after updating the state.
+             * "<!--" only transitions from _unescaped_ to _escaped_. This byte sequence is only
+             * significant in the _unescaped_ state and is ignored in any other state.
              */
             if (
+                'unescaped' === $state &&
                 '!' === $html[ $at ] &&
                 '-' === $html[ $at + 1 ] &&
                 '-' === $html[ $at + 2 ]
             ) {
-                $at   += 3;
-                $state = 'unescaped' === $state ? 'escaped' : $state;
+                $at += 3;
+
+                /*
+                 * The parser is ready to enter the _escaped_ state, but may remain in the
+                 * _unescaped_ state. This occurs when "<!--" is immediately followed by a
+                 * sequence of 0 or more "-" followed by ">". This is similar to abruptly closed
+                 * HTML comments like "<!-->" or "<!--->".
+                 *
+                 * Note that this check may advance the position significantly and requires a
+                 * length check to prevent bad offsets on inputs like `<script><!---------`.
+                 */
+                $at += strspn( $html, '-', $at );
+                if ( $at < $doc_length && '>' === $html[ $at ] ) {
+                    ++$at;
+                    continue;
+                }
+
+                $state = 'escaped';
                 continue;
             }
@@ -1611 +1620 @@
             $at += 6;
             $c   = $html[ $at ];
-            if ( ' ' !== $c && "\t" !== $c && "\r" !== $c && "\n" !== $c && '/' !== $c && '>' !== $c ) {
-                ++$at;
+            if (
+                /**
+                 * These characters trigger state transitions of interest:
+                 *
+                 * - @see {https://html.spec.whatwg.org/multipage/parsing.html#script-data-end-tag-name-state}
+                 * - @see {https://html.spec.whatwg.org/multipage/parsing.html#script-data-escaped-end-tag-name-state}
+                 * - @see {https://html.spec.whatwg.org/multipage/parsing.html#script-data-double-escape-start-state}
+                 * - @see {https://html.spec.whatwg.org/multipage/parsing.html#script-data-double-escape-end-state}
+                 *
+                 * The "\r" character is not present in the above references. However, "\r" must be
+                 * treated the same as "\n". This is because the HTML Standard requires newline
+                 * normalization during preprocessing which applies this replacement.
+                 *
+                 * - @see https://html.spec.whatwg.org/multipage/parsing.html#preprocessing-the-input-stream
+                 * - @see https://infra.spec.whatwg.org/#normalize-newlines
+                 */
+                '>' !== $c &&
+                ' ' !== $c &&
+                "\n" !== $c &&
+                '/' !== $c &&
+                "\t" !== $c &&
+                "\f" !== $c &&
+                "\r" !== $c
+            ) {
                 continue;
             }

trunk/tests/phpunit/tests/html-api/wpHtmlTagProcessor.php

@@ -2010 +2010 @@
      * Data provider.
      */
-    public static function data_script_tag(): array {
-        return array(
-            'Basic script tag'                          => array( '<script></script>', true ),
-            'Script with type attribute'                => array( '<script type="text/javascript"></script>', true ),
-            'Script data escaped'                       => array( '<script><!--</script>', true ),
-            'Script data double-escaped exit (comment)' => array( '<script><!--<script>--></script>', true ),
-            'Script data double-escaped exit (closed)'  => array( '<script><!--<script></script></script>', true ),
-            'Script data double-escaped exit (closed/truncated)' => array( '<script><!--<script></script </script>', true ),
-            'Script data no double-escape'              => array( '<script><!-- --><script></script>', true ),
-
-            'Script tag with self-close flag (ignored)' => array( '<script />', false ),
-            'Script data double-escaped'                => array( '<script><!--<script></script>', false ),
-        );
+    public static function data_script_tag(): Generator {
+            yield 'Basic script tag'                              => array( '<script></script>', true );
+            yield 'Script tag with </script> close'               => array( '<script></script>', true );
+            yield 'Script tag with </script/> close'              => array( '<script></script/>', true );
+            yield 'Script tag with </script > close'              => array( '<script></script >', true );
+            yield 'Script tag with </script\n> close'             => array( "<script></script\n>", true );
+            yield 'Script tag with </script\t> close'             => array( "<script></script\t>", true );
+            yield 'Script tag with </script\f> close'             => array( "<script></script\f>", true );
+            yield 'Script tag with </script\r> close'             => array( "<script></script\r>", true );
+            yield 'Script with type attribute'                    => array( '<script type="text/javascript"></script>', true );
+            yield 'Script data escaped'                           => array( '<script><!--</script>', true );
+            yield 'Script data double-escaped exit (comment)'     => array( '<script><!--<script>--></script>', true );
+            yield 'Script data double-escaped exit (closed ">")'  => array( '<script><!--<script></script></script>', true );
+            yield 'Script data double-escaped exit (closed "/")'  => array( '<script><!--<script></script/</script>', true );
+            yield 'Script data double-escaped exit (closed " ")'  => array( '<script><!--<script></script </script>', true );
+            yield 'Script data double-escaped exit (closed "\n")' => array( "<script><!--<script></script\n</script>", true );
+            yield 'Script data double-escaped exit (closed "\t")' => array( "<script><!--<script></script\t</script>", true );
+            yield 'Script data double-escaped exit (closed "\f")' => array( "<script><!--<script></script\f</script>", true );
+            yield 'Script data double-escaped exit (closed "\r")' => array( "<script><!--<script></script\r</script>", true );
+            yield 'Script data no double-escape'                  => array( '<script><!-- --><script></script>', true );
+            yield 'Script data no double-escape (short comment)'  => array( '<script><!--><script></script>', true );
+            yield 'Script data almost double-escaped'             => array( '<script><!--<script</script>', true );
+            yield 'Script data with complex JavaScript'           => array(
+                '<script>
+                    var x = 10;
+                    x--;
+                    x < 0 ? x += 100 : x = (x + 1) - 1;
+                </script>',
+                true,
+            );
+
+            yield 'Script tag with self-close flag (ignored)'     => array( '<script />', false );
+            yield 'Script data double-escaped'                    => array( '<script><!--<script></script>', false );
+            yield 'Unclosed script in escaped state'              => array( '<script><!--------------', false );
+            yield 'Unclosed script in double escaped state'       => array( '<script><!--<script ', false );
+            yield 'Document end in closer start'                  => array( '<script></', false );
+            yield 'Document end in script closer'                 => array( '<script></script', false );
+            yield 'Document end in script closer with attributes' => array( '<script></script attr="val"', false );
+            yield 'Script tag double-escaped with <script>'       => array( '<script><!--<script></script>', false );
+            yield 'Script tag double-escaped with <script/'       => array( '<script><!--<script/</script>', false );
+            yield 'Script tag double-escaped with <script '       => array( '<script><!--<script </script>', false );
+            yield 'Script tag double-escaped with <script\n'      => array( "<script><!--<script\n</script>", false );
+            yield 'Script tag double-escaped with <script\t'      => array( "<script><!--<script\t</script>", false );
+            yield 'Script tag double-escaped with <script\f'      => array( "<script><!--<script\f</script>", false );
+            yield 'Script tag double-escaped with <script\r'      => array( "<script><!--<script\r</script>", false );
     }